A redirect is one of the basic tests to bypass SSRF protection. But we should make sure it is a cross-protocol redirect. It’s because in some libraries, like request, you can specify an agent that will only make a request to a whitelisted resource. However, there was...
#75
Pretalx Vulnerabilities: How to get accepted at every conference
This blogpost describes two path traversal bugs in Pretalx. One thing to note is the transformations through which the path went before being saved on disk. Another interesting fact is the way to exploit a file write to an RCE in Python environments....
Secrets leaked in Postman collections
Trufflehog released a blogpost about secrets leaked on Postman collections. They interestingly break down how many and where are they leaking. https://trufflesecurity.com/blog/postman-carries-lots-of-secrets
Ruby send leads to disclosing 1220 GitHub env variables
Ruby’s send function allows to dynamically call method with a particular name. And while this sounds great, there’s usually not much fun things you can do without controlling method’s arguments. But in GitHub, Ngo Wei Lin found a way to leak all the environment...
Oauth #2 – CSRFs and the state
For a long time, the only OAuth attack that I knew was worth trying was changing the redirect_uri. But I’ve been missing out on a lot! In recent years I’ve become more and more proficient with OAuth and I see many more attack scenarios. In this multi-part series,...
Bug Bounty and the 5 aspects of motivation
Motivation is something every single hunter struggles with. I’m no exception. If you’ve been following me for longer, you know I’ve been complaining about my hunting motivation so I’m very interested in improving in this area. When I was younger, I used to think money...